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Abstract 

In a recent paper, Lo and Chau explain how to break a family of quantum bit 

commitment schemes, and they claim that their attack applies to the 1993 

protocol of Brassard, Crepeau, Jozsa and Langlois (BCJL). The intuition 

behind their attack is correct, and indeed they expose a weakness common 

to all proposals of a certain kind, but the BCJL protocol does not fall in this 

category. Nevertheless, it is true that the BCJL protocol is insecure, but the 

required attack and proof are more subtle. Here we provide the first complete 

proof that the BCJL protocol is insecure. 
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a. Introduction Recently, Lo and Chau have made available on the quant -ph 
archives a preprint that explains how to break a family of quantum bit commitment 
schemes, and they claim that their attack applies to the protocol of Brassard, Crepeau, 
Jozsa and Langlois 0, hereafter called the BCJL protocol. The intuition behind their at- 
tack against the BCJL protocol is correct, and indeed they expose a weakness common to 
all proposals of a certain kind (including [|l]|l), but the BCJL protocol does not fall in this 
category (see the opening paragraph in Section []). Nevertheless, it is true that the BCJL 



is more 



protocol is insecure, but the proof which we have known for quite some time |L2 
subtle. Here we provide this first complete proof that the BCJL protocol is insecure. 

We have also considered several variations on the BCJL theme. Neither Lo and Chau's 
attack nor the correct attack on the BCJL protocol explained below apply to these varia- 
tions. One of these variations consists in having the photons travel in the reverse direction 
compared with the original BCJL protocol. This is natural for many cryptographic appli- 
cations. Nevertheless, all these variations fail as well for different reasons related to subtle 
points in quantum information theory that only began to be understood at the time 
the BCJL paper was written. A proof that none of these variations work will be the subject 
of a forthcoming paper: the current paper focuses on the correct attack against the original 
BCJL protocol. 

Lo and Chau wrote: "The security of other quantum cryptographic protocols say for 
oblivious transfer [...] remains to be examined." This is a serious concern because quan- 
tum oblivious transfer and many other quantum protocols depend on the security of bit 
commitment [^,||,|19|. On the other hand, we disagree with the following sentence from Lo 
and Chau: "One might wonder if all of quantum cryptography may stumble under closer 



scrutinies" because our earlier proof of security for quantum key distribution fTT| , |T3| would 
hold even if secure quantum bit commitment is not possible despite the fact that it is based 
on an earlier "proof" of security for quantum oblivious transfer that fails in the absence of 
a secure bit commitment scheme. The reason is that the proof of security for quantum key 
distribution does not depend on the security of quantum oblivious transfer, but rather on 



the (correct) proof that quantum oblivious transfer would be secure if implemented on top 
of a secure bit commitment scheme. 

b. Bit Commitment Any cryptographic task defines the relationship between inputs and 
outputs respectively entered and received by the task's participants. In bit commitment, 
Alice enters a bit b. At a later time, Bob may request this bit and, whenever he does, he 
receives this bit, otherwise he learns nothing about b. 

In a naive but concrete realization of bit commitment, Alice puts the bit into a strong- 
box of which she keeps the key and then gives this strong-box to Bob. At a later time, if 
Bob requests the bit, Alice gives the key to Bob. The main point is that Alice cannot change 
her mind about the bit b and Bob learns nothing about it unless he obtains the key. Now, 
let us sketch the BCJL protocol. 

COMMIT(b) 

1. Bob chooses a linear code C (with some required properties) and announces it to Alice. 

2. Alice chooses a perfectly random string r G {0, l} n and announces it to Bob. 

3. Alice chooses a perfectly random string 9 G {+, x} n and a string c uniformly dis- 
tributed over {c E C \ cQr = b}. 

4. Alice sends n photons to Bob in a product state \c)$ = |c 1 ) 6 » 1 <g> . . . <g> \c n )e n - 

5. Bob measures the n photons in a perfectly random basis 9 G {+, x} n and obtains the 
classical outcome c = c± . . . c n . 

To unveil the bit b, Alice announces 9, c and b to Bob. Bob computes a function 
T(,(9,c,9,c,C,r) to test whether or not he should accept Alice's claim. The function 7& 
returns ok if if the bit b announced by Alice is accepted, otherewise T b returns not ok. The 
exact description of the function TJ, is irrelevant for our analysis. One does not need to 
understand in detail how the BCJL protocol attempts to realize bit commitment to see that 
it cannot work. The pair (C, r) corresponds to the information that is shared between Alice 
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and Bob just before Alice sends the photons. Most of our analysis is done for (C, r) fixed, so 
(C, r) is suppressed in most of the notations. For instance, from here on, (C, r) is suppressed 
in the input of the functions T&(#, c, 8, c). 

We denote p(9, c\b) the probability of the state |c)e given the bit b that Alice has in mind. 
Such a random distribution of pure states is called a mixture. The BCJL authors M explains 
that, given b, the results of any physical measurement whatever on the mixture prepared 
by Alice depend only on the density operator pb = J2e,cP(@, c \b) (l c )( c IV This means that 
a dishonest Alice could send any other mixture {(\ip) , p(?p))} such that X^pWIV'X'*/'! = 
Pb, for some b G {0, 1}, without being detected. It is correctly shown in H that such a 
strategy does not work. Their Theorem 3.7 implies that, for all practical purposes, any 
pure state commits Alice to a single bit b. More precisely, once Bob has received the 
n photons in a pure state there exists one value b such that, except with a negligible 
probability, Alice cannot convince Bob that she had the opposite bit b in mind, that is, 
(V 6,c), Pt(Ti(8,c,8,c) — ok | \& = ip) is exponentially small. The conclusion in |3J] is that 
the protocol is secure against Alice. 

However, as explained by these authors, preparing a mixture is not the only way to 
prepare a density matrix. Alice may prepare the density matrix pb of the n photons by 
introducing another system A kept on her side and preparing the new incremented system 
in a pure state \4>). Note that a pure state \<p) of the incremented system is not in general 
the product of a pure state of A with a pure state of the n photons. 

This possibility was considered in [|J. In the appendix of their paper, they mention 
the true fact that as far as the results of Bob's measurement is concerned, this alternative 
approach is equivalent to a preparation of a mixture by Alice. It is true that no matter what 
Alice does on her side, at the best, she will be found in a situation where everything behaves 
as if such a mixture had been sent to Bob. For any such a mixture, it is true that Alice may 
only open a single bit b. However, this is not sufficient to show the security against Alice. 
The problem, which we explain in this paper, is that by delaying her measurement on the 
system A that she kept on her side Alice may choose the mixture and thus the bit b after 
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the commit. 

Let W be the input (9, c, 9, c) of the functions T and T x . We consider W as a random 
variable. We denote W^> the random variable W conditioned by b = and the same 
random variable conditioned by b = 1. Both and refer to the honest protocol. 

If the protocol is correct, except with negligible probability, we should have T b (W^>) = ok, 
that is, if Alice has been honest and has chosen the bit 6, then Bob should accept it. The 
problem with the protocol COMMIT is that a dishonest Alice, by delaying her measurement, 
can choose after the commit to have W behave either as or . Let ip be the classical 
outcome of this measurement. A dishonest Alice computes (9, c) in view of ip, and announces 
(6, 9, c) to Bob. In the following, without loss of generality, we may assume that (9, c) is 
the classical outcome of a measurement M^ A ) executed by Alice because the computation 
of (9, c) may be considered as a part of this measurement. 

Alice can cheat if she can create a state |0) of the incremented system such that, for 
every b, there exists a measurement M.^ on the system A such that 

• the classical outcome (9, c) of has the same probability distribution as the cor- 
responding pair (9, c) in the honest case when Alice chooses b, 

• whenever Alice obtains (9, c), the n photons on Bob's side collapse in the state \c)q as 
in the honest protocol. 

A dishonest Alice executes after that Bob has executed his measurement on the n 

photons. However, these two measurements commute, that is, the random variable W is 
the same whether Alice measures before or after Bob, and the only thing that matters is 
the distribution of W. Therefore, we may assume that Alice measures before Bob. In such 
a case, the above condition says that after Alice's measurement the situation is exactly as 
in the honest protocol. Therefore, when the measurement is chosen by Alice, we have 

W = W^ b \ that is, W behaves as it would in the honest protocol when Alice chooses the bit 
b, and Tf, is expected to return ok. So Alice can cheat. In the remainder of this paper, we 
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show that for all practical purposes, if the protocol is secure against Bob, then the above 
condition holds. 

c. A simpler case This section considers the security of any bit commitment protocol in 
which Alice commits herself to 6 by sending photons to Bob where the density matrices for 
6 = and 6 = 1 are identical. This is precisely the case that was independently considered by 
Lo and Chau [|T0 1 . This is sufficient to break the old protocol in || (which is not surprising 



since a simple EPR-type attack was already included in the same paper f2|) as well as a more 
recent protocol proposed by Ardehali Q. However, this analysis is insufficient to break the 
BCJL protocol since the density matrices pb prepared by Alice, when she has respectively 
6 = and 6 = 1 in mind, are not identical. 

In fact, the main thrust of the BCJL paper was to prove that Bob could not cheat despite 
the fact that he was sent slightly different density matrices by Alice depending on which bit 
she wanted to commit to. (Clearly, the protocol could not be secure if the density matrices 
had differed too much, because then Bob would be able to distinguish between 6 = and 
6 = 1 without any help from Alice.) In this section, we show that the above mentioned 
condition holds under the simplifying assumption p — p\. In the next section, we shall 
consider the situation that really applies to the BCJL protocol. 

In the commit part, Alice prepares a pure state of the incremented system such that the 
density matrix for the n photons is p = p$ = Pi-, that is, the same density matrix that would 
have been honestly prepared by Alice no matter whether she had 6 = or 6 = 1 in mind. 
Now, let us assume that, after the commit, Alice wants to convince Bob that she had some bit 
6 of her choice in mind. It is shown in || that by choosing the appropriate measurement on 
A, Alice may choose any mixture {(\ip) , p(ip)} such that J2cP(i J )\i J )(4'\ — P- It is explained 
in || that when Alice chooses the mixture , p(ip)} , she receives the classical outcome 
ip with probability p(ip) and, furthermore, the classical information ip received by Alice 
uniquely determines the collapsed state \ip) of the n photons on Bob's side. In particular, 
Alice may choose {(\ip) , p(ip)} to be the mixture {(\c)e,p(9, c|6))}. We have that the classical 
information ip received by Alice, which uniquely determines the collapsed state = \c)e 
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on Bob's side, is {0,6). This shows that the above mentioned condition holds. 

d. The real situation Now, we consider the real situation in the BCJL protocol, where 
the density matrices po and pi are not identical. We show that if the protocol is secure 
against Bob, then it is not secure against Alice. We must start with a necessary and natural 
criteria for the security against Bob. We use a criteria that makes sense for anyone who 
understands what it means to guess the value of a secret bit. Let X be the random variable 
which represents the best guess for the bit b chosen by Alice that can be made by Bob after 
the commit phase. Let b = b if and only if the bit chosen by Alice is b. The probability 
of error for this guess is PE = X^ =0 Pr(b = b) Pr(A = 6|b = b). Now, let e = 1/25. The 
criteria is that, for a perfectly random bit b chosen by Alice, we must have \PE — ~| < e. 
A probability of error close to 1/2 is is a natural criteria to indicate that one did not gain 
much information about a bit b that is initially perfectly random. We denote the random 
variable X conditioned by b = b so that Pr(A = x \ h = b) = Pr(X& = x). The Kolmogorov 
distance K(p ,pi) between two distributions of probability p , pi on a set A is defined by 
K(j?0iPi) = X^eA \Po{ x ) ~ Pi 0*0 1- Let Pb(x) = Pr(X fe = x). After some algebra, one obtains 
that the criteria \PE — \\ < e implies that K(po,pi) < 4e. However, this inequality has 
been obtained for values of K that are defined in terms of measurements that return two 
outcomes, whereas the Kolmogorov distance K can be defined for an arbitrary number 
of outcomes. Let us show that, if the inequality K < 4e holds for any binary outcome 
measurement, the same inequality holds for an arbitrary measurement. It is shown in |6|.|T"1 



that the most general measurement on the n photons that is allowed by quantum mechanics 

( B) ( B) ( B) 

can be described by operators M\ , . . . , \ I\. given by equations M- = PjU where U is an 
isometry from the space of the n photons to some other Hilbert space H and the operators 
Pj are projection operators that define an orthogonal measurement on H. The exponent 
(B) reminds us that the measurement is executed by Bob. The classical outcome j returned 
by this measurement is the value taken by a random variable J. Again, we denote Jb the 
random variable J conditioned by b = b. Let A be the set of possible values for J. Let A = 
{jEA \ Pr(J = j) > Pr(Jx = j)} and A 1 = A - A = {j e A | Pr(Ji = j) > Pr(J = j)}. 



We define M' Q = J2jeA Mj and M[ = YljeAi^j- One may easily check that M' Q and M[ 
define an incomplete measurement with a binary classical outcome. Let X be the random 
binary outcome of this measurement. We have that Pv(Xb — x) — Pr(Jb G A x ). As desired 
we obtain: 

K = y £\PT(J = j)-Pr(J 1 =j)\ 
jeA 

= £ Pr(J =j)-PT(J 1 =j) 

+ £ Pr(J 1 =j)-Pi(J =j) 
= (Pr(J e A ) - Pr(Ji G A )) 

+ (Pr(J! G A x ) - Pr(J G Ax)) 
= |(Pr(X = 0)-Pr(X 1 = 0))| 

+ |(Pr(X 1 = l)-Pr(X = l))| 
< 4e 



Now, let us consider the Bhattacharyya-Wootters distance [|7, |15 , 18 



BW = J2Pt(J =j^Pt(J 1 =j)1 

j&A 



It is explained in |15 that (1 — BW) < K/2. Therefore, we have BW > (1 — 2e). Further- 
more, in [0,0 it is shown that the minimum of BW over all possible measurement is the 
fidelity F between p and p\. So, we have 1 > F > (1 — 2e). A purification of pb is simply 
a pure state of the overall system that has pb for density matrix on Bob's side. A theorem 
due to Uhlmann Pl,|l6| says that the fidelity between two mixed states po an d pi is given by 



F = max|(0 o |0i)| 2 

where the maximum is taken over the purifications 0o and <pi of po an d pi respectively. 
Therefore, there exists two purifications (po and 4>i suc h that 

(0o|0i) 2 = F> (l-2e). 
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We describe Alice's strategy. Alice prepares the incremented system in the state \(j>o). 
Clearly, if Alice prepares the state \4>o), she can choose a measurement Mq 4 ^ that returns 
ip = (8, c) which will convince Bob that she had b = in mind. 

Now, assume that Alice has prepared \<f>) = \4>o), but wants to convince Bob that she 
had b = 1 in mind. We show that the measurement that works when Alice prepares 

the state \4>i), works as well even if Alice has prepared the state \<po). On Bob's side we may 
consider that Bob executes a measurement that computes (0,c). Alice's measurement 

Mi and Bob's measurement M^, both together, determine an overall measurement Mi 
on the overall system. The classical outcome of this overall measurement is denoted y = 
(8, c, 9, c). This measurement is determined by an isometry U\ and projection operators Px tV 
that define an orthogonal measurement on the image of U\ We have that M\ iV = 

Pi, y U\ is the collapse operator associated with the outcome y. We have Pr(A = y | <3> = (f>) — 
||M liy |0)|| 2 and Pr(7\(y) = ok | $ = 0) = ||M ljOfc |0) || 2 , where M l>ok = E y ■ Tl (y)=ok M hv . We 
obtain: 

|Pr(7i(y) = ok | $ = O ) 
-Pr(Ti(y) = ok | $ = 0i)| 

= | iim^i^o)!! 2 - Hm^i^!)!! 2 | 

<2x ||M liOfe (|0 o ) -0i))|| 

<2x || (|0 o )-|0i)) II 

= 2 x ^2(1 - (0 o |0i)) < 4v^. 

If the protocol is correct, we can also assume that Pr(Ti(y) = ok | $ = <f>i) > 1 — e' where 
e' = 1/25. Therefore, we obtain that Pr(Tx(r) =ok\$ = <f> )>l-e'- A^fe = A/25. This 
concludes the proof that the BCJL protocol is insecure. 
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